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AMENDMENTS TO THE CLAIMS: 

This listing of claims will replace all prior versions and listings of claims in the 
application: 

1 . (Currently Amended) A method for addressing packets in a firewall cluster 
within a single network, the firewall cluster including a plurality of firewall nodes 
comprising one or more processing units, the method comprising: 

selecting, from the firewall cluster within the single network, a first firewall node 
for processing a first packe t, the first firewall node being assigned to a first node 
number : 

receiving, at a first processing unit associated with the first firewall node, the first 
packet; 

modifying, by the first processing unit, as a function of a n tup i o spaco for 
r o prosont i ng addr e sses proc e ss e d by a s e t of proc o ssing units, a first address for of the 
first packet into a first modified s e cond address for th o first packet, such that a guadrant 
identifier determined using a hash function and modulo division from the s e cond first 
modified address be i ng within corresponds to the first node number a rang e of 
address e s assigned only to the first firewall node; 

selecting, from the firewall cluster within the single network, a second firewall 
node for processing a second packe t, the second firewall node being assigned to a 
second node number : 

receiving, at a second processing unit associated with the second firewall node, 
the second packet, the second processing unit being different than the first processing 
unit; 
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modifying, by the second processing unit, as a function of a n - tupi e spac e for 
representing addr e ss e s proc e ss e d by a s e t of proc e ss i ng un i ts, a second first address 
*9f of the second packet into a second modified address for th e s e cond pack e t, such 
that a quadrant identifier determined using a hash function and modulo division from the 
second modified address b ei ng within a rang e of addr e ss e s corresponds to the second 
node number assigned only to the second firewall node, such that wherein the second 
modified address of the second packet does not conflict with the s e cond first modified 
address of the first packet; 

fonwarding the first packet based on the first modified s e cond address of th e first 

fonwarding the second packet based on the second modified address of th e 
s e cond pack e t . 

2. (Cancelled). 

3. (Currently Amended) The method of claim 1 , further comprising: 
assigning to the first firewall node process i ng un i t a first region based on [[the]] a 

N-tuple space. 

4. (Previously Presented) The method of claim 3, further comprising: 
using the first address of the first packet, such that the first address represents a 

point within the first region. 
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5. (Original) Tine method of claim 4, further comprising: 

using N address values as the N-tuple, such that the N address values represent 
the point. 

6. (Currently Amended) The method of claim 1 , further comprising: 
using [[the]] a N-tuple space, such that N is equal to a value of at least two. 

7. (Currently Amended) The method of claim 3, further comprising: 
assigning to [[a]] the second firewall node processing un i t a second region based 

on the N-tuple space, such that the first region is separate from the second region. 

8. (Cancelled). 

9. (Cancelled). 

1 0. (Currently Amended) A method for addressing packets associated with a 
plurality of processing units, each processing unit being associated with one of a 
plurality of firewall nodes in a firewall cluster within a single network, the method 
comprising: 

selecting, from the firewall cluster within the single network, one of the firewall 
nodes for processing a packet, the selected firewall node including a first processing 
unit; 

receiving, at the first processing unit, the packet; 
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reading, at tfie first processing unit, an N-tuple address of tine received pacl<et; 

determining, by the first processing unit, wiietiier the N-tuple address of the 
received packet is within an N-tuple space assigned to the first processing unit based 
on a quadrant identifier and a firewall node number corresponding to the N-tuple space 
value assigned to the first processing unit, wherein [[the]] an N-tuple space assigned to 
each of the plurality of processing units is different, and wherein the quadrant identifier 
is determined from the N-tuple address using a hash function and modulo division : 

sending the packet with the N-tuple address, when it is determined that the N- 
tuple address is within the N-tuple space assigned to the first processing unit; 

determining, when the N-tuple address of the received packet is not within the 
N-tuple space assigned to the first processing unit, a modified N-tuple address based 
on the N-tuple space assigned to the first processing unit, such that the modified 
N-tuple address does not conflict with addresses assigned by any of the other plurality 
of processing units; and 

sending the packet based on the modified N-tuple address. 

1 1 . (Original) The method of claim 10, wherein the reading step further 
comprises: 

reading as the N-tuple address, a plurality of values from the received packet. 

12. (Original) The method of claim 1 1 , wherein the reading step further 
comprises: 

reading at least a source port. 
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13.-16. (Cancelled). 

17. (Previously Presented) The method of claim 10, wherein the step of 
determining the modified N-tupie further comprises: 

adding a value to the N-tuple address, such that the modified N-tuple address is 
within the N-tuple space assigned to the first processing unit. 

18. -20. (Cancelled). 

21 . (Previously Presented) The method of claim 10, further comprising: 
using a computer as the first processing unit. 

22. (Previously Presented) The method of claim 10, further comprising: 
using a router as the first processing unit. 

23. (Cancelled). 

24. (Currently Amended) A method of addressing packets in a firewall cluster 
within a singe single network, wherein the firewall cluster comprises a set of processing 
units, each processing unit being associated with a firewall node, the method 
comprising: 
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selecting, from the firewall cluster within the single network, one of the firewall 
nodes for processing a packet, the selected firewall node including a first processing 
unit; 

receiving, at the first processing unit, the packet; 

reading, at the first processing unit, an N-tuple address of the received packet; 

determining a quadrant identifier based on the read N-tuple address, a hash 
function, and modulo division; 

determining whether the read N-tuple address corresponds to the first processing 
unit based on the quadrant identifier; 

sending the packet with the N-tuple address, when the quadrant identifier 
corresponds to the first processing unit; [[and]] 

determining, when the quadrant identifier does not correspond to the first 
processing unit, a modified N-tuple address that corresponds to the first processing unit, 
such that the modified N-tuple address does not conflict with addresses assigned by 
any of the other processing units; and 

sending the packet based on the modified N-tuple address. 

25. (Previously Presented) The method of claim 24, further comprising: 
assigning each of the set of processing units a firewall node number. 

26. (Previously Presented) The method of claim 25, further comprising: 
determining whether the N-tuple address corresponds to the first processing unit 

based on the quadrant identifier and the firewall node number. 



-7- 



Application No. 10/712,396 
Attorney Docl<et No. 08971.0005-00 



27. (Currently Amended) A system for addressing packets in a firewall cluster 
within a single network, the firewall cluster including a plurality of firewall nodes, the 
system comprising: 

means for selecting, from the firewall cluster within the single network, a first 
firewall node for processing a first packe t, the first firewall node being assigned to a first 
node number : 

means for receiving, at a first processing unit associated with the first firewall 
node, the first packet; 

means for modifying , as a function of a n tuple spac e for r o pr o sonting addresses 
proc e ss e d by a s e t of proc e ss i ng unit&i a first address for of the first packet into a first 
modified s e cond address for tho first pack e t, such that a ouadrant identifier determined 
using a hash function and modulo division from the socond first modified address b e ing 
w i th i n a range of address e s corresponds to the first node number assigned only to the 
first firewall node; 

means for selecting, from the firewall cluster within the single network, a second 
firewall node for processing a second packe t, the second firewall node being assigned 
to a second node number : 

means for receiving, at a second processing unit associated with the second 
firewall node, the second packet, the second processing unit being different than the 
first processing unit; 

means for modifying , as a funct i on of a n tup l e spac e for repres e nting addr e ss e s 
procossod by a s e t of proc e ssing un i ts, a second fij^ address of fef the second packet 
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into a second modified address for tlio s e cond pac l < e t, sucii that a quadrant identifier 
determined using a hasli function and modulo division from the second modified 
address bo i ng with i n a range of address e s corresponds to the seco nd node number 
assigned only to the second firewall node, such that wherein the second modified 
address of the second packet does not conflict with the s e cond first modified address of 
the first packet; 

means for f onward ing the first packet based on the first modified second address 
of tho f i rst packet ; and 

means for forwarding the second packet based on the second modified address 
of th o s e cond pack e t . 

28. (Currently Amended) A system for addressing packets associated with 
one or more processing units, each processing unit being associated with a firewall 
node in a firewall cluster within a single network, the system comprising: 

means for selecting, from the firewall cluster within the single network, one of the 
firewall nodes for processing a packet, the selected firewall node including a first 
processing unit; 

means for receiving, at the first processing unit, the packet; 

means for reading, at the first processing unit, an N-tuple address of the received 
packet; 

means for determining whether the N-tuple address of the received packet is 
within an N-tuple space assigned to the first processing unit based on a quadrant 
identifier and a firewall node number corresponding to the N-tuple space vakie assigned 
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to the first processing unit, wherein the N-tuple space assigned to each of the 
processing units is different, and wherein the quadrant identifier is determined from the 
N-tuple address using a hash function and modulo division : 

means for sending the packet with the N-tuple address, when it is determined 
that the N-tuple address is within [[the]] an N-tuple space assigned to the first 
processing unit; [[and]] 

means for determining, when the N-tuple address of the received packet is not 
within the N-tuple space assigned to the first processing unit, a modified N-tuple 
address based on the N-tuple space assigned to the first processing unit, such that the 
modified N-tuple address does not conflict with addresses assigned by any of the other 
processing units; and 

means for sending the packet based on the modified N-tuple address. 

29. (Currently Amended) A firewall cluster within a single network including 
firewall nodes associated with processing units, comprising: 

means for selecting, from the firewall cluster within the single network, one of the 
firewall nodes for processing a packet, the selected firewall node including a first 
processing unit; 

means for receiving, at the first processing unit, the packet; 

means for reading, at the first processing unit, an N-tuple address of the received 
packet; 

means for determining a quadrant identifier based on the read N-tuple address, a 
hash function, and modulo division; 
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means for determining whiether the read N-tuple address corresponds to the first 
processing unit based on the quadrant identifier; 

means for sending the packet with the N-tuple address, when the quadrant 
identifier corresponds to the first processing unit; [[and]] 

means for determining, when the quadrant identifier does not correspond to the 
first processing unit, a modified N-tuple address that corresponds to the first processing 
unit, such that the modified N-tuple address does not conflict with addresses assigned 
by any of the other processing units; and 

means for sending the packet based on the modified N-tuple address. 

30. (Currently Amended) A system including a firewall cluster within a single 
network including a plurality of firewall nodes, the firewall nodes being associated with 
one or more processing units, said system comprising: 

at least one memory comprising: 

code that selects, from the firewall cluster within the single network, 

a first firewall node for processing a first packet, the first firewall node including a 

first processing uni t, the first firewall node being assigned to a first node number : 



addrossGS proc e ss e d by a s e t of data process i ng units, a first address for of the 
first packet into a second first modified address for th e first pack e t, such that a 
Quadrant identifier determined using a hash function and modulo division from 



code that receives, at the first processing unit, the first packet; 



code that modifies 
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the second first modified address b oi ng within a rang e of addr e ss e s corresponds 
to the first node number assigned only to the first firewall node; 

code that selects, from the firewall cluster within the single network, 
a second firewall node for processing a second packet; the second firewall node 
including a second processing uni t, the second firewall node being assigned to a 
second node number ; 

code that receives, at the second processing unit, the second 
packet, the second processing unit being different than the first processing unit; 

code that modifies as a function of a n tuple spac e for roprosonting 
addr e ss e s proc e ss e d by a s e t of proc e ss i ng un i ts, a firs^ second address fef oL 
the second packet into a second modified address for th e s e cond pack e t, such 
that a guadrant identifier determined using a hash function and modulo division 
from the second modified address b o ing within a rang e of addr e ss e s 
corresponds to the second node number assigned only to the second firewall 
node, such that wherein the second modified address of the second packet does 
not conflict with the s e cond first modified address of the first packet; 

code that forwards the first packet based on the first modified 
second address of tho f i rst packet ; and 

code that fonwards the second packet based on the second 
modified address of th e s e cond pack e t ; and 

at least one processing unit for executing the code. 
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31 . (Currently Amended) A system including a firewall cluster within a single 
network including a plurality of firewall nodes, the firewall nodes being associated with 
processing units, the system comprising: 

at least one memory comprising: 

code that selects, from the firewall cluster within the single network, 
one of the firewall nodes for processing a packet, the selected firewall node 
including a first processing unit; 

code that receives, at the first processing unit, the packet; 

code that reads, at the first processing unit, an N-tuple address of 
the received packet; 

code that determines whether the N-tuple address of the received 
packet is within an N-tuple space assigned to the first processing unit based on a 
quadrant identifier valu e and a firewall node number corresponding to the N-tuple 
space assigned to the first processing unit, wherein [[the]] an N-tuple space 
assigned to each of the processing units is different, and wherein the quadrant 
identifier is determined from the N-tuple address using a hash function and 
modulo division : 

code that sends the packet with the N-tuple address, when it is 
determined that the N-tuple address is within the N-tuple space assigned to the 
first processing unit; 

code that determines, when the N-tuple address of the received 
packet is not within the N-tupIe space assigned to the first processing unit, a 
modified N-tuple address based on the N-tuple space assigned to the first 
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processing unit, such tiiat tiie modified N-tuple address does not conflict with 
addresses assigned by any of the other processing units; and 

code that sends sending the packet based on the modified N-tuple 

address; and 

at least one processing unit for executing the code. 

32. (Original) The system of claim 31 , wherein code that reads further 
comprises: 

code that reads as the N-tuple address, a plurality of values from the received 
packet. 

33. (Original) The system of claim 32, wherein code that reads the plurality of 
values further comprises: 

code that reads at least a source port. 

34. - 36. (Cancelled). 

37. (Currently Amended) A firewall cluster including a plurality of firewall 
nodes within a single network, the firewall nodes being associated with processing 
units, the firewall cluster comprising: 

at least one memory comprising 
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code that selects, from the firewall cluster within the single network, 
one of the firewall nodes for processing a packet, the selected firewall node 
including a first processing unit; 

code that receives, at the first processing unit, the packet; 

code that reads, at the first processing unit, an N-tuple address of 
the received packet; 

code that detemriines a quadrant identifier based on the read 
N-tuple address, a hash function, and modulo division; 

code that determines whether the read N-tuple address 
corresponds to the first processing unit based on the quadrant identifier; 

code that sends the packet with the N-tuple address, when the 
quadrant identifier corresponds to the first processing unit; [[and]] 

code that determines, when the quadrant identifier does not 
corresponds to the first processing unit, a modified N-tuple address that 
corresponds to the first processing unit, such that the modified N-tuple address 
does not conflict with addresses assigned by any of the other processing units; 
and 

code that sends the packet based on the modified N-tuple address; 

and 

at least one processing unit for executing the code. 

38. (Currently Amended) A computer-readable storage medium comprising 
instructions which, when executed by a processing unit, perform a method for 
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addressing paci^ets in a firewall cluster within a single network, the firewall cluster 
including a plurality of firewall nodes, the method including: 

selecting, from the firewall cluster within the single network, one of the firewall 
nodes for processing a packet, the selected firewall node being associated with a first 
processing unit; 

receiving, at the first processing unit, the packet; 

reading, at the first processing unit, an N-tuple address of the received packet; 

determining whether the N-tuple address of the received packet is within an N- 
tuple space assigned to the first processing unit based on a quadrant identifier anda_ 
firewall node number corresponding to the N-tuple space value assigned to the first 
processing unit, wherein [[the]] an N-tuple space assigned to each of the processing 
units is different, and wherein the quadrant identifier is determined from the N-tuple 
address using a hash function and modulo division ; 

sending the packet with the N-tuple address, when it is determined that the 
N-tuple address is within the N-tuple space assigned to the first processing unit; and 

determining, when it is determined that the N-tuple address of the received 
packet is not within the N-tuple space assigned to the first processing unit, a modified 
N-tuple address based on the N-tuple space assigned to the first processing unit, such 
that the modified N-tuple address does not conflict with addresses assigned by any of 
the other processing units; and 

sending the packet based on the modified N-tuple address. 
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39. (Previously Presented) The computer-readable storage medium of claim 
38, wherein reading further comprises: 

reading as the N-tuple address, a plurality of values from the received packet. 

40. (Previously Presented) The computer-readable storage medium of 
claim 39, wherein reading the plurality of values further comprises: 

reading at least a source port. 

41. -43. (Cancelled). 

44. (Currently Amended) A computer-readable storage medium comprising 
instructions which, when executed by a processing unit, perform a method for 
addressing packets in a firewall cluster within a single network, the firewall cluster 
including a plurality of firewall nodes, the method including: 

selecting, from the firewall cluster within the single network, one of the firewall 
nodes for processing a packet, the selected firewall node including a first processing 
unit; 

receiving, at the first processing unit, the packet; 

reading, at the first processing unit, an N-tuple address of the received packet; 

determining a quadrant identifier based on the read N-tuple address, a hash 
function, and modulo division; 

determining whether the read N-tuple address corresponds to the first processing 
unit based on the quadrant identifier; 
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sending the pacl<et with the N-tuple address, when the quadrant identifier 
corresponds to the first processing unit; [[and]] 

determining, when the quadrant identifier does not corresponds to the first 
processing unit, a modified N-tuple address that corresponds to the first processing unit, 
such that the modified N-tuple address does not conflict with addresses assigned by 
any of the other processing units; and 

sending the packet based on the modified N-tuple address. 

45. (Currently Amended) A computer-readable storage medium comprising 
instructions which, when executed by a processing unit, perform a method for 
addressing packets in a firewall cluster within a single network, the firewall cluster 
including a plurality of firewall nodes comprising one or more processing units, the 
method including: 

selecting, from the firewall cluster within the single network, one of the firewall 
nodes within the single network for processing a first packet, the selected firewall node 
being associated with a first processing unit and assigned to a first node number ; 

receiving, at the first processing unit, the first packet; 

modifying , ao a function of a n tup l e opaco for repres e nting addr e sses proc e ss e d 
by a sot of data proc e ss i ng units, a first address of for the first packet into a second first 
modified address for tho f i rst pack e t, such that a quadrant identifier determined using a 

hash function and modulo division from the second first modified address corresponds 
to the first node number bo i ng within a rang e of addresses assigned only to the selected 
firewall node; 
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selecting, from the firewall cluster within the single network, a second firewall 
node for processing a second packe t, the second firewall node being assigned to a 
second node number : 

receiving, at a second processing unit associated with the second firewall node, 
the second packet, the second processing unit being different than the first processing 
unit; 

modifying, by the second processing unit, as a function of a n tupl e spac e for 
repr e s e nt i ng addresses proc e ss e d by a s e t of proc e ssing un i ts, a first second address 
fof of the second packet into a second modified address for tho s e cond pack e t, such 
that a quadrant identifier determined using a hash function and modulo division from the 
second modified address being within a rang e of addr e ss e s corresponds to the second 
node number assigned only to the second firewall node, such that wherein the second 
modified address of the second packet does not conflict with the socond first modified 
address of the first packet; 

fonwarding the first packet based on the first modified s e cond address of th e f i rst 

forwarding the second packet based on the second modified address of th e 
socond pack e t . 



